CDH6.3 集成OpenLDAP
安装OpenLDAP
内容概述
- 1.OpenLDAP服务安装
- 2.导入根域及管理员账号
- 3.导入基础文件及用户和用户组
- 4.配置OpenLDAP客户端
测试环境
1.CentOS7.4
2.OpenLDAP版本2.4.44
OpenLDAP服务端安装
在集群中选择一台服务器(pd-cdh-192-0-7-node)作为OpenLDAP的Server
- 1.执行如下命令安装OpenLDAP服务
[root@pd-cdh-192-168-0-7-node ~]# yum -y install openldap openldap-clients openldap-servers migrationtools openldap-devel nss-pam-ldapd bind-dyndb-ldap compat-openldap perl-LDAP krb5-server-ldap php-ldap openssl
查看安装的RPM包
[root@pd-cdh-192-168-0-7-node ~]# rpm -qa |grep openldap
openldap-clients-2.4.44-24.el7_9.x86_64
compat-openldap-2.3.43-5.el7.x86_64
openldap-servers-2.4.44-24.el7_9.x86_64
openldap-2.4.44-24.el7_9.x86_64
openldap-devel-2.4.44-24.el7_9.x86_64
- 2.修改OpenLDAP的slapd.ldif配置文件
安装OpenLDAP服务后默认的配置文件及数据库文件在/usr/share/openldap-servers目录下
[root@pd-cdh-192-168-0-7-node ~]# cp /usr/share/openldap-servers/slapd.ldif /root/
[root@pd-cdh-192-168-0-7-node ~]# vim slapd.ldif
#
# See slapd-config(5) for details on configuration options.
# This file should NOT be world readable.
#
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/openldap/slapd.args
olcPidFile: /var/run/openldap/slapd.pid
#
# TLS settings
# 不需要TLS加密的话注释掉以下内容
#olcTLSCACertificatePath: /etc/openldap/certs
#olcTLSCertificateFile: "OpenLDAP Server"
#olcTLSCertificateKeyFile: /etc/openldap/certs/password
#
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#
#olcReferral: ldap://root.openldap.org
#
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 64-bit encryption for simple bind
#
#olcSecurity: ssf=1 update_ssf=112 simple_bind=64
#
# Load dynamic backend modules:
# - modulepath is architecture dependent value (32/64-bit system)
# - back_sql.la backend requires openldap-servers-sql package
# - dyngroup.la and dynlist.la cannot be used at the same time
#
#dn: cn=module,cn=config
#objectClass: olcModuleList
#cn: module
#olcModulepath: /usr/lib/openldap
#olcModulepath: /usr/lib64/openldap
#olcModuleload: accesslog.la
#olcModuleload: auditlog.la
#olcModuleload: back_dnssrv.la
#olcModuleload: back_ldap.la
#olcModuleload: back_mdb.la
#olcModuleload: back_meta.la
#olcModuleload: back_null.la
#olcModuleload: back_passwd.la
#olcModuleload: back_relay.la
#olcModuleload: back_shell.la
#olcModuleload: back_sock.la
#olcModuleload: collect.la
#olcModuleload: constraint.la
#olcModuleload: dds.la
#olcModuleload: deref.la
#olcModuleload: dyngroup.la
#olcModuleload: dynlist.la
#olcModuleload: memberof.la
#olcModuleload: pcache.la
#olcModuleload: ppolicy.la
#olcModuleload: refint.la
#olcModuleload: retcode.la
#olcModuleload: rwm.la
#olcModuleload: seqmod.la
#olcModuleload: smbk5pwd.la
#olcModuleload: sssvlv.la
#olcModuleload: syncprov.la
#olcModuleload: translucent.la
#olcModuleload: unique.la
#olcModuleload: valsort.la
#
# Schema settings
#
dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema
# 以下部分需要拷贝到配置文件中,默认有core.ldif,注意文件顺序
include: file:///etc/openldap/schema/corba.ldif
include: file:///etc/openldap/schema/core.ldif
include: file:///etc/openldap/schema/cosine.ldif
include: file:///etc/openldap/schema/duaconf.ldif
include: file:///etc/openldap/schema/dyngroup.ldif
include: file:///etc/openldap/schema/inetorgperson.ldif
include: file:///etc/openldap/schema/java.ldif
include: file:///etc/openldap/schema/misc.ldif
include: file:///etc/openldap/schema/nis.ldif
include: file:///etc/openldap/schema/openldap.ldif
include: file:///etc/openldap/schema/ppolicy.ldif
include: file:///etc/openldap/schema/collective.ldif
#
# Frontend settings
#
dn: olcDatabase=frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: frontend
#
# Sample global access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
#
#olcAccess: to dn.base="" by * read
#olcAccess: to dn.base="cn=Subschema" by * read
#olcAccess: to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#
#
# Configuration database
#
dn: olcDatabase=config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: config
olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
n=auth" manage by * none
#
# Server status monitoring
#注意此处的cn=Manager,dc=pudu,dc=com替换成对应的域名
dn: olcDatabase=monitor,cn=config
objectClass: olcDatabaseConfig
olcDatabase: monitor
olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
n=auth" read by dn.base="cn=Manager,dc=pudu,dc=com" read by * none
#
# Backend database definitions
# 数据库配置部分直接替换掉
dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: hdb
olcSuffix: dc=pudu,dc=com
olcRootDN: cn=Manager,dc=pudu,dc=com
# 管理密码
olcRootPW: 123456
olcDbDirectory: /var/lib/ldap
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
olcDbIndex: uidNumber,gidNumber,loginShell eq,pres
olcDbIndex: uid,memberUid eq,pres,sub
olcDbIndex: nisMapName,nisMapEntry eq,pres,sub
- 3.重新生成OpenLDAP的配置
# 删除默认配置
[root@pd-cdh-192-168-0-7-node ~]# rm -rf /etc/openldap/slapd.d/*
# 生成新配置
[root@pd-cdh-192-168-0-7-node ~]# slapadd -F /etc/openldap/slapd.d -n 0 -l slapd.ldif
# 测试配置文件
[root@pd-cdh-192-168-0-7-node ~]# slaptest -u -F /etc/openldap/slapd.d
# 修改文件属主
[root@pd-cdh-192-168-0-7-node ~]# chown -R ldap. /etc/openldap/slapd.d/
- 4.安装OpenLDAP的数据库文件
[root@pd-cdh-192-168-0-7-node ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@pd-cdh-192-168-0-7-node ~]# chown -R ldap. /var/lib/ldap/
- 启动服务
[root@pd-cdh-192-168-0-7-node ~]# systemctl enable slapd
[root@pd-cdh-192-168-0-7-node ~]# systemctl start slapd
[root@pd-cdh-192-168-0-7-node ~]# systemctl status slapd
服务端配置
- 导入根域及管理员账号
# 编辑配置文件
[root@pd-cdh-192-168-0-7-node ~]# vim root.ldif
dn: dc=pudu,dc=com
dc: pudu
objectClass: top
objectClass: domain
dn: cn=Manager,dc=pudu,dc=com
objectClass: organizationalRole
cn: Manager
# 导入
[root@pd-cdh-192-168-0-7-node ~]# ldapadd -D "cn=Manager,dc=pudu,dc=com" -W -x -f root.ldif
# 检查导入是否成功
[root@pd-cdh-192-168-0-7-node ~]# ldapsearch -h pd-cdh-192-168-0-7-node -b "dc=pudu,dc=com" -D "cn=Manager,dc=pudu,dc=com" -W
- 导入基础文件及用户和用户组
# 修改生成迁移的模板文件
[root@pd-cdh-192-168-0-7-node ~]# vim /usr/share/migrationtools/migrate_common.ph
# 修改$DEFAULT_MAIL_DOMAIN 和 $DEFAULT_BASE 两个变量的值
# Default DNS domain
$DEFAULT_MAIL_DOMAIN = "pudu.com";
# Default base
$DEFAULT_BASE = "dc=pudu,dc=com";
# 导出OpenLdap的base.ldif文件
[root@pd-cdh-192-168-0-7-node ~]# /usr/share/migrationtools/migrate_base.pl > base.ldif
[root@pd-cdh-192-168-0-7-node ~]# vim base.ldif
# 保留需要的配置
dn: ou=People,dc=pudu,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=pudu,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
# 导出操作系统的group.ldif文件
[root@pd-cdh-192-168-0-7-node ~]# /usr/share/migrationtools/migrate_group.pl /etc/group > group.ldif
[root@pd-cdh-192-168-0-7-node ~]# vim group.ldif
# 保留需要的配置
dn: cn=root,ou=Group,dc=pudu,dc=com
objectClass: posixGroup
objectClass: top
cn: root
userPassword: {crypt}x
gidNumber: 0
dn: cn=pudu,ou=Group,dc=pudu,dc=com
objectClass: posixGroup
objectClass: top
cn: pudu
userPassword: {crypt}x
gidNumber: 1001
# 导出操作系统用户的ldif文件
[root@pd-cdh-192-168-0-7-node ~]# /usr/share/migrationtools/migrate_passwd.pl /etc/passwd > user.ldif
[root@pd-cdh-192-168-0-7-node ~]# vim user.ldif
# 保留需要的配置
dn: uid=root,ou=People,dc=pudu,dc=com
uid: root
cn: root
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$1$EVbxyGRp$MtFVbWZyrdFodu92MYuhN.
shadowLastChange: 18864
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 0
gidNumber: 0
homeDirectory: /root
gecos: root
dn: uid=pudu,ou=People,dc=pudu,dc=com
uid: pudu
cn: pudu
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}!!
shadowLastChange: 17566
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/pudu
注意用户信息与group.ldif中组的对应,否则会出现用户无相应组的问题
- 使用slapadd命令将基础文件及用户和组导入OpenLDAP
[root@pd-cdh-192-168-0-7-node ~]# ldapadd -D "cn=Manager,dc=pudu,dc=com" -W -x -f base.ldif
[root@pd-cdh-192-168-0-7-node ~]# ldapadd -D "cn=Manager,dc=pudu,dc=com" -W -x -f group.ldif
[root@pd-cdh-192-168-0-7-node ~]# ldapadd -D "cn=Manager,dc=pudu,dc=com" -W -x -f user.ldif
- 检查导入结果
[root@pd-cdh-192-168-0-7-node ~]# ldapsearch -h pd-cdh-192-168-0-7-node -b "dc=pudu,dc=com" -D "cn=Manager,dc=pudu,dc=com" -W |grep dn
Enter LDAP Password:
dn: dc=pudu,dc=com
dn: cn=Manager,dc=pudu,dc=com
dn: ou=People,dc=pudu,dc=com
dn: ou=Group,dc=pudu,dc=com
dn: cn=root,ou=Group,dc=pudu,dc=com
dn: cn=pudu,ou=Group,dc=pudu,dc=com
dn: uid=root,ou=People,dc=pudu,dc=com
dn: uid=pudu,ou=People,dc=pudu,dc=com
dn: uid=testldap,ou=People,dc=pudu,dc=com
dn: cn=test,ou=Group,dc=pudu,dc=com
dn: uid=hive,ou=People,dc=pudu,dc=com
dn: cn=hive,ou=Group,dc=pudu,dc=com
dn: cn=operate,ou=Group,dc=pudu,dc=com
dn: uid=operate,ou=People,dc=pudu,dc=com
dn: cn=etl,ou=Group,dc=pudu,dc=com
dn: uid=caokw,ou=People,dc=pudu,dc=com
dn: uid=wangsb,ou=People,dc=pudu,dc=com
dn: uid=zhousp,ou=People,dc=pudu,dc=com
dn: uid=liuly,ou=People,dc=pudu,dc=com
dn: uid=zengqy,ou=People,dc=pudu,dc=com
dn: uid=impala,ou=People,dc=pudu,dc=com
[root@pd-cdh-192-168-0-7-node ~]#
OpenLDAP客户端配置
# 安装客户端
[root@pd-cdh-192-168-0-7-node ~]# yum -y install openldap-clients sssd authconfig nss-pam-ldapd
# 编辑配置文件
[root@pd-cdh-192-168-0-7-node ~]#vim /etc/openldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
TLS_CACERTDIR /etc/openldap/cacerts
URI ldap://pd-cdh-192-168-0-7-node
BASE dc=pudu,dc=com
# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON on
# 检查客户端配置是否正确
[root@pd-cdh-192-168-0-7-node ~]# ldapsearch -D "cn=Manager,dc=pudu,dc=com" -W |grep dn
OpenLDAP集成SSH登录并使用sssd同步用户
- 1.修改 /etc/sssd/sssd.conf
[root@pd-cdh-192-168-0-7-node ~]# vim /etc/sssd/sssd.conf
[domain/default]
autofs_provider = ldap
cache_credentials = True
ldap_search_base = dc=pudu,dc=com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://pd-cdh-192-168-0-7-node
ldap_id_use_start_tls = False
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_schema = rfc2307bis
[sssd]
services = nss, pam, autofs
domains = default
[nss]
homedir_substring = /home
[pam]
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
[secrets]
[session_recording]
[root@pd-cdh-192-168-0-7-node ~]# chmod 600 /etc/sssd/sssd.conf
[root@pd-cdh-192-168-0-7-node ~]# systemctl start sssd
[root@pd-cdh-192-168-0-7-node ~]# systemctl enable sssd
[root@pd-cdh-192-168-0-7-node ~]# systemctl status sssd
OpenLdap与SSH集成
- 1.修改配置文件/etc/ssh/sshd_config
[root@pd-cdh-192-168-0-7-node ~]# vim /etc/ssh/sshd_config
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
# problems.
### 主要看一下这里
UsePAM yes
- 2.修改配置文件/etc/pam.d/sshd
[root@pd-cdh-192-168-0-7-node ~]# vim /etc/pam.d/sshd
#%PAM-1.0
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
# Used with polkit to reauthorize users in remote sessions
-auth optional pam_reauthorize.so prepare
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
# 添加下面这一行
session required pam_mkhomedir.so #加入此行后确保登录成功后创建用户的home目录
# Used with polkit to reauthorize users in remote sessions
-session optional pam_reauthorize.so prepare
- 3修改配置文件/etc/pam.d/password-auth
[root@pd-cdh-192-168-0-7-node ~]# vim /etc/pam.d/password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
#auth sufficient pam_sss.so forward_pass
### 添加
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
#account [default=bad success=ok user_unknown=ignore] pam_sss.so
### 添加
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
#password sufficient pam_sss.so use_authtok
### 添加
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
#session optional pam_sss.so
### 添加
session optional pam_ldap.so
- 4.修改配置文件/etc/pam.d/system-auth
[root@pd-cdh-192-168-0-7-node ~]# vim /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
#auth sufficient pam_sss.so forward_pass
### 添加
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
#account [default=bad success=ok user_unknown=ignore] pam_sss.so
### 添加
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
#password sufficient pam_sss.so use_authtok
### 添加
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
### 添加
#session optional pam_sss.so
session optional pam_ldap.so
- 5。重启sshd服务
[root@pd-cdh-192-168-0-7-node ~]# systemctl restart sshd
[root@pd-cdh-192-168-0-7-node ~]# systemctl status sshd
Hive集成RedHat7的OpenLDAP认证
1.登录CM的Web控制台,进入Hive服务,关闭Hive的模拟功能
hive.server2.enable.doAs =false
2.修改LDAP相关配置,通过这里可以进行全局配置,配置后所有的HiveServer2服务均使用该配置
启用 LDAP 身份验证 =true
hive.server2.authentication.ldap.url=ldap://pd-cdh-192-168-0-7-node
hive.server2.authentication.ldap.baseDN= ou=People,dc=pudu,dc=com
保存配置,并重启hive服务
Impala集成RedHat7的OpenLDAP认证
1.登录CM的Web控制台,进入Impala服务,修改LDAP配置
enable_ldap_auth = true
ldap_uri = ldap://pd-cdh-192-168-0-7-node
ldap_baseDN = ou=People,dc=pudu,dc=com
Impala Daemon 命令行参数高级配置代码段
–ldap_passwords_in_clear_ok
–authorized_proxy_user_config=hive=*
HUE集成RedHat7的OpenLDAP认证
OpenLDAP中先新建一个hive 组与一个hive用户
- 使用管理员登录CM,进入Hue配置页面,修改Hue的认证方式为LDAP
注意此处配置还是尽量在 hue_safety_valve.ini 内配置为好
[desktop]
ldap_username=hive
ldap_password=hive
[[ldap]]
ldap_url=ldap://pd-cdh-192-168-0-7-node
ldap_username_pattern="uid=<username>,ou=People,dc=pudu,dc=com"
use_start_tls=false
base_dn="dc=pudu,dc=com"
sync_groups_on_login=true
search_bind_authentication=false
create_users_on_login=true
[[[users]]]
user_filter=objectClass=*
user_name_attr=uid
[[[groups]]]
group_filter=objectClass=*
group_name_attr=cn
group_member_attr=memberUid
另外还需在HDFS core-site.xml 的群集范围高级配置代码段(安全阀)配置
<property>
<name>hadoop.proxyuser.hive.hosts</name>
<value>*</value>
</property>
<property>
<name>hadoop.proxyuser.hive.groups</name>
<value>*</value>
</property>
扫一扫
533
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
